Forum Home
Press F1
 
Thread ID: 117653 2011-04-27 22:05:00 Malware prob, security centre turns off Renegade (16270) Press F1
Post ID Timestamp Content User
1197890 2011-04-27 22:05:00 Got his PC here (Win7 HomePrem32), guy said he got drunk and went on "some dodgy sites" and had the old fake AV warning.

Seeing these on a weekly basis I just booted straight into safe mode and nuked with MBAM without checking to see which of the many variants it was. Noticed he had AVG9 on so I uninstalled and put MSE on. Now the fun starts. MSE doesn't start "MSE isn't monitoring your computer because the program's service stopped. You should restart it now." Starting it doesn't work. Also noticed the Security Centre isn't working. Start it in services and it turns itself back off after 10 seconds! Cleaned off some more crap with Spybot & SuperAntiSpyware but no go.

Any suggestions before I nuke it and format/reinstall?

MBAM & HijackThis logs:

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\2EOETFM3W2 (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\D1T2EUR7FZ (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Street-Ads (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\$XNTUninstall643$ (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{B0E1C323-7403-4DEA-8F1D-B016B9B013B1} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\brumadeksgrm.brumadeksgrm.1.0 (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\brumadeksgrm.brumadeksgrm (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{B0E1C323-7403-4DEA-8F1D-B016B9B013B1} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Settings\{B0E1C323-7403-4DEA-8F1D-B016B9B013B1} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{B0E1C323-7403-4DEA-8F1D-B016B9B013B1} (Adware.AdRotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\D1T2EUR7FZ (Trojan.Downloader) -> Value: D1T2EUR7FZ -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce\iJh01805gEbMm01805 (Trojan.Fakealert) -> Value: iJh01805gEbMm01805 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\bipro (Trojan.Agent.Gen) -> Value: bipro -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Windows\$xntuninstall643$ (Adware.AdRotator) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\<username>\AppData\Local\Temp\Rz0.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\programdata\ijh01805gebmm01805\ijh01805gebmm018 05.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
c:\Users\<username>\AppData\Local\Temp\a8C5A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Rrymea.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\<username>\favorites\free porn.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{35dc3473-a719-4d14-b7c1-fd326ca84a0c}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\$xntuninstall643$\apuninstall.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
c:\Windows\$xntuninstall643$\qkflt.dll (Adware.AdRotator) -> Quarantined and deleted successfully.
c:\Windows\$xntuninstall643$\zrpt.xml (Adware.AdRotator) -> Quarantined and deleted successfully.



***HJT***
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:53:36 a.m., on 28/04/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo!Xtra Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll
O3 - Toolbar: Yahoo!Xtra Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start www.avg.com BMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBL ADMAWAA"&"inst=NwA3AC0ANAA0ADgANQA4ADgAOQA4ADYALQBUAEIAOQArA DIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQAxADA AQQArADEALQBYAE8AOQArADEA"&"prod=90"&"ver=9.0.894
O4 - HKLM\..\Policies\Explorer\Run: [pvfhhb] C:\Windows\system32\msexch40U.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - Winlogon Notify: hummopt - C:\Windows\system32\config\systemprofile\AppData\L ocal\hummopt.dll (file missing)

--
End of file - 5511 bytes 		Renegade (16270)
1197891 2011-04-27 22:19:00 Boot into safe mode with networking - run Rkill (www.bleepingcomputer.com) - then run Combofix (www.bleepingcomputer.com) wainuitech (129)
1197892 2011-04-28 00:48:00 Hmmmm, both those are bluescreening
storport.sys + IRQL_NOT_LESS_EQUAL

Time to test ram & harddrive?
www.sevenforums.com 		Renegade (16270)
1197893 2011-04-28 01:09:00 Could be RAM - but doubt it, As per the link you posted:


storport . sys is a Windows storage controller driver, not the true cause of this The malware by the looks of it has really done a number on the OS / Drivers .

Sometimes what you see is only the tip of the iceberg as the saying goes . Some infections are deeply embedded - and the only way to remove them is save any data, nuke the drive and reinstall .

IF those programs wont run in safe mode with networking, try straight safe mode . IF they still wont work - nuke the thing .

Race ya :p Doing one right now after cloning the drive to save the data , similar infection and the bloody thing simply wont leave no matter what I do, and its VERY badly damaged . 		wainuitech (129)
1197894 2011-04-28 01:17:00 LOL, same in Safemode. Harddrive Sentinel can't report the drive status, and Seatools has a Fatal Error: Device Discovery. This is well done in by the looks of it.

Luckily the dude has absolutely no data on this, just uses it for webmail, Facebook, MSN & I guess occasional porn! Just need to backup IE favs and its ready to roll. 		Renegade (16270)
1197895 2011-04-28 01:41:00 Just doing another one I collected this morning , has the XP antivirus malware.

Removed the main file from documents and settings -- then run combofix, and lookey what it found instantly ( attachment) :)

PS: the customer has trend micro Internet security :( 		wainuitech (129)
1197896 2011-04-28 01:44:00 Put this on a bootable flash drive (support.kaspersky.com) if you have one then run it. It may also be a rootkit. Or if you can get into windows run it, after you get into windows

You can remove these from the hjt log

O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start www.avg.com BMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBL ADMAWAA"&"inst=NwA3AC0ANAA0ADgANQA4ADgAOQA4ADYALQB
UAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGA DkATQAxADAAQQArADEALQBYAE8AOQArADEA"&"prod=90"&"ve r=9.0.894

O4 - HKLM\..\Policies\Explorer\Run: [pvfhhb] C:\Windows\system32\msexch40U.exe

O20 - Winlogon Notify: hummopt - C:\Windows\system32\config\systemprofile\AppData\L ocal\hummopt.dll (file missing)

If you cant get into the normal account and you've got another account, do this in the other account 		Speedy Gonzales (78)
1197897 2011-04-28 02:01:00 LOL, same in Safemode . Harddrive Sentinel can't report the drive status, and Seatools has a Fatal Error: Device Discovery . This is well done in by the looks of it .

Use HDAT2 then, it boots from its own media so should work just fine . 		Agent_24 (57)
1197898 2011-04-28 04:17:00 The bootable HDS works and reports drive ok.

TDSKiller found and cured a rootkit, but system is still flaky. Re-install time:banana 		Renegade (16270)
1197899 2011-04-28 04:54:00 Get trojan remover run it then click on scan. The select all options under the utils menu. Then open a command prompt as admin type sfc /scannow

Save this as a reg file then run it

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\wscsvc]
"DisplayName"="@%SystemRoot%\\System32\\wscsvc.dll,-200"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00, 52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d ,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00 ,78,00,65,00,20,00,2d,00,\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65 ,00,72,00,76,00,69,00,63,\
00,65,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00 ,52,00,65,00,73,00,74,00,\
72,00,69,00,63,00,74,00,65,00,64,00,00,00
"Start"=dword:00000002
"Type"=dword:00000020
"Description"="@%SystemRoot%\\System32\\wscsvc.dll,-201"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,57,00, 69,00,6e,00,\
4d,00,67,00,6d,00,74,00,00,00,00,00
"ObjectName"="NT AUTHORITY\\LocalService"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00, 65,00,4e,\
00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00 ,76,00,69,00,6c,00,65,00,\
67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65 ,00,72,00,73,00,6f,00,6e,\
00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00 ,6c,00,65,00,67,00,65,00,\
00,00,00,00
"DelayedAutoStart"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00, 00,14,00,00,\
00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00 ,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\wscsvc\Parameters]
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00, 52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00 ,6d,00,33,00,32,00,5c,00,\
77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c ,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\wscsvc\Security]
"Security"=hex:01,00,14,80,c8,00,00,00,d4,00,00,00,14,00,00, 00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01 ,00,00,00,00,00,01,00,00,\
00,00,02,00,98,00,06,00,00,00,00,00,14,00,fd,01,02 ,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00 ,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00 ,00,00,05,04,00,00,00,00,\
00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00 ,00,00,00,00,14,00,00,01,\
00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,28 ,00,15,00,00,00,01,06,00,\
00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,e5,55 ,dc,f4,e2,0e,a7,8b,eb,ca,\
7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,00,01 ,01,00,00,00,00,00,05,12,\
00,00,00 		Speedy Gonzales (78)
1 2